Re: Fwd: Rate Stratfor's Incident Response

[Laurelai <laurelai () oneechan org>]

On 1/11/12 1:15 AM, Kyle Creyts wrote:
> How many of those engaged in these attacks _could_ actually fix the 
> vulns they exploit? What is a good "rough estimate" in your opinion?
>
> On Jan 11, 2012 12:47 AM, "Laurelai" <laurelai () oneechan org 
> <mailto:laurelai () oneechan org>> wrote:
>
>     On 1/10/12 11:32 PM, James Smith wrote:
>     > Well I do agree with what you are stating. As I have seen incidents
>     > like this happen to many times.
>     > This mailing list is a big part of the IT Security community.
>     >
>     >
>     >
>     > -----Original Message----- From: Laurelai
>     > Sent: Wednesday, January 11, 2012 1:18 AM
>     > To: full-disclosure () lists grok org uk
>     <mailto:full-disclosure () lists grok org uk>
>     > Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident
>     Response
>     >
>     > On 1/10/12 10:18 PM, Byron Sonne wrote:
>     >>> Don't piss off a talented adolescent with computer skills.
>     >> Amen! I love me some stylin' pwnage :)
>     >>
>     >> Whether they were skiddies or actual hackers, it's still
>     amusing (and
>     >> frightening to some) that companies who really should know
>     better, in
>     >> fact, don't.
>     >>
>     > And again, if companies hired these people, most of whom come from
>     > disadvantaged backgrounds and are self taught they wouldn't have
>     as much
>     > a reason to be angry anymore. Most of them feel like they don't
>     have any
>     > real opportunities for a career and they are often right. Microsoft
>     > hired some kid who hacked their network, it is a safe bet he
>     isn't going
>     > to be causing any trouble anymore. Talking about the trust
>     issue, who
>     > would you trust more the person who has all the certs and experience
>     > that told you your network was safe or the 14 year old who
>     proved him
>     > wrong? We all know if that kid had approached microsoft with his
>     exploit
>     > in a responsible manner they would have outright ignored him,
>     that's why
>     > this mailing list exists, because companies will ignore security
>     issues
>     > until it bites them in the ass to save a buck.
>     >
>     > People are way too obsessed with having certifications that don't
>     > actually teach practical intrusion techniques. If a system is so
>     fragile
>     > that teenagers can take it down with minimal effort then there is a
>     > serious problem with the IT security industry. Think about it
>     how long
>     > has sql injection been around? There is absolutely no excuse for
>     being
>     > vulnerable to it. None what so ever. These kids are showing
>     people the
>     > truth about the state of security online and that is whats
>     making people
>     > afraid of them. They aren't writing 0 days every week, they are
>     using
>     > vulnerabilities that are publicly available. Using tools that are
>     > publicly available, tools that were meant to be used by the people
>     > protecting the systems. Clearly the people in charge of
>     protecting these
>     > system aren't using these tools to scan their systems or else
>     they would
>     > have found the weaknesses first.
>     >
>     > The fact that government organizations and large name companies and
>     > government contractors fall prey to these types of attacks just
>     goes to
>     > show the level of hypocrisy inherent to the situation.
>     Especially when
>     > their solution to the problem is to just pass more and more
>     restrictive
>     > laws (as if that's going to stop them). These kids are showing
>     people
>     > that the emperor has no clothes and that's whats making people
>     angry,
>     > they are putting someones paycheck in danger. Why don't we solve the
>     > problem by actually addressing the real problem and fixing
>     systems that
>     > need to be fixed? Why not hire these kids with the time and
>     energy on
>     > their hands to probe for these weaknesses on a large scale? The ones
>     > currently in the job slots to do this clearly aren't doing it.
>      I bet if
>     > they started replacing these people with these kids it would
>     shake the
>     > lethargy out of the rest of them and you would see a general
>     increase in
>     > competence and security. Knowing that if you get your network
>     owned by a
>     > teenager will not only get you fired, but replaced with said
>     teenager is
>     > one hell of an incentive to make sure you get it right.
>     >
>     >
>     > Yes they would have to be taught additional skills to round out what
>     > they know, but every job requires some level of training and
>     there are
>     > quite a few workplaces that will help their employees continue their
>     > education because it benefits the company to do so. This would be no
>     > different except that the employees would be younger, and
>     younger people
>     > do tend to learn faster so it would likely take less time to
>     teach these
>     > kids the needed skills to round out what they already know than
>     it would
>     > to teach someone older the same thing. It is the same principal
>     behind
>     > teaching young children multiple languages, they learn them
>     better than
>     > adults.
>     >
>     > _______________________________________________
>     > Full-Disclosure - We believe in it.
>     > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     > Hosted and sponsored by Secunia - http://secunia.com/
>     Yes I am aware they are, the ones who cry out that they are just
>     script
>     kiddies and such are the ones who are most likely to be vulnerable
>     in my
>     experience. Point is they still got owned, doesn't matter if the
>     method
>     was easy. In fact because it was easy should be an even greater
>     concern
>     to everyone here. The fact that Stratfor got owned like they did shows
>     they were beyond negligent, HBGary was the same as was Sony. They
>     shouldn't be trying to prosecute these kids they should go after these
>     companies for grossly mishandling peoples personal information.
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
More than the number of so called experts that can prevent it in the 
first place :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/